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Abstract 

Increasing numbers of mobile computing devices, user- 
portable, or embedded in vehicles, cargo containers, or the 
physical space, need to be aware of their location in order 
to provide a wide range of commercial services. Most often, 
mobile devices obtain their own location with the help of 
Global Navigation Satellite Systems (GNSS), integrating, 
for example, a Global Positioning System (GPS) receiver. 
Nonetheless, an adversary can compromise location-aware 
applications by attacking the GNSS-based positioning: It 
can forge navigation messages and mislead the receiver into 
calculating a fake location. In this paper, we analyze this 
vulnerability and propose and evaluate the effectiveness of 
countermeasures. First, we consider replay attacks, which 
can be effective even in the presence of future cryptographic 
GNSS protection mechanisms. Then, we propose and an- 
alyze methods that allow GNSS receivers to detect the re- 
ception of signals generated by an adversary, and then re- 
ject fake locations calculated because of the attack. We 
consider three diverse defense mechanisms, all based on 
knowledge, in particular, own location, time, and Doppler 
shift, receivers can obtain prior to the onset of an attack. 
We find that inertial mechanisms that estimate location 
can be defeated relatively easy. This is equally true for the 
mechanism that relies on clock readings from off-the-shelf 
devices; as a result, highly stable clocks could be needed. 
On the other hand, our Doppler Shift Test can be effective 
without any specialized hardware, and it can be applied to 
existing devices. 

1 Introduction 

As wireless communications enable an ever-broadening 
spectrum of mobile computing applications, location or 
position information becomes increasingly important for 
those systems. Devices need to determine their own posi- 
tionQ to enable location-based or location-aware function- 
ality and services. Examples of such systems include: sen- 
sors reporting environmental measurements; cellular tele- 
phones or portable digital assistants (PDAs) and comput- 
ers offering users information and services related to their 



1 In this paper, we are not concerned with the related but orthog- 
onal localization problem of allowing a specific entity to determine 
and ascertain the location of other devices. 



surroundings; mobile embedded units, such as those for 
Vehicular Communication (VC) systems seeking to pro- 
vide transportation safety and efficiency; or, merchandize 
(container) and fleet (truck) management systems. 

Global navigation satellite systems (GNSS), such as the 
Global Positioning System (GPS), its Russian counter- 
part (GLONAS), and the upcoming European GALILEO 
system, are the most widely used positioning technology. 
GNSS transmit signals bearing reference information from 
a constellation of satellites; computing platforms nodes), 
equipped with the appropriate receiver, can decode them 
and determine their own location. 

However, commercial instantiations of GNSS systems, 
which are within the scope of this paper, are open to 
abuse: An adversary can influence the location informa- 
tion, loc(V), a node V calculates, and compromise the node 
operation. For example, in the case of a fleet management 
system, an adversary can target a specific truck. First, the 
adversary can use a transmitter of forged GNSS signals 
that overwrite the legitimate GNSS signals to be received 
by the victim node (truck) V. This would cause a false 
loc(V) to be calculated and then reported to the fleet cen- 
ter, essentially concealing the actual location of V from the 
fleet management system. Once this is achieved, physical 
compromise of the truck (e.g., breaking into the cargo or 
hijacking the vehicle) is possible, as the fleet management 
system would have limited or no ability to protect its as- 
sets. 

This is an important problem, given the consequences 
such attacks can have. In this paper, we are concerned 
with methods to mitigate such a vulnerability. In partic- 
ular, we propose mechanisms to detect and reject forged 
GNSS messages, and thus avoid manipulation of GNSS- 
based positioning. Our investigation is complementary 
to cryptographic protection, which commercial GNSS sys- 
tems do not currently provide but are expected to do so 
in the future (e.g., authentication services by the upcom- 
ing GALILEO system [5]). Our approach is motivated by 
the fundamental vulnerability of GNSS-based positioning 
to replay attacks [9], which can be mounted even against 
cryptographically protected GNSS. 

The contribution of this paper consists of three mecha- 
nisms that allow receivers to detect forged GNSS messages 
and fake GNSS signals. Our countermeasures rely on in- 
formation the receiver obtained before the onset of an at- 
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tack, or more precisely, before the suspected onset of an 
attack. We investigate mechanisms that rely on own (i) 
location information, calculated by GNSS navigation mes- 
sages, (ii) clock readings, without any re-synchronization 
with the help of the GNSS or any other system, and (hi) 
received GNSS signal Doppler shift measurements. Based 
on those different types of information, our mechanisms 
can detect if the received GNSS signals and messages orig- 
inate from adversarial devices. If so, location information 
induced by the attack can be rejected and manipulation 
of the location-aware functionality be avoided. We clarify 
that the reaction to the detection of an attack, and mecha- 
nisms that mitigate unavailability of legitimate GNSS sig- 
nals is out of the scope of this paper. 

We briefly introduce the GNSS operation and related 
work in Sec. [2] We discuss the adversary model and specific 
attack methods in Sec. 13.21 We then present and analyze 
the three defensive mechanisms in Sec. |H Our findings 
support that highly accurate clocks can be very effective 
at the expense of appropriate clock hardware; but they 
can otherwise be susceptible, when off-the-shelf hardware 
is used. Location-based mechanisms can also be defeated 
relatively easily. On the contrary, our Doppler Shift Test 
(DST) provides accurate detection of attacks, even against 
a sophisticated adversary. 



2 GNSS Overview 
2.1 Basic Operation 

Each GNSS-equipped node V can receive simultaneously 
a set of navigation messages NAVi from each satellite Si 
in the visible constellation. Satellite transmitters utilize a 
spread-spectrum technique and each satellite is assigned a 
unique spreading code C,-. These codes are a priori pub- 
licly known. Navigation messages allow V to determine its 
position, loc(V) — (Xy, Yy, Zy), in a Cartesian system, as 
well global time, by obtaining a clock correction or time 
offset, ty, also called the synchronization error. At least 
four satellites should be visible in order for a receiver to 
compute position and exact time, the so-called PVT (Po- 
sition, Velocity and Time) or navigation solution [6]. This 
computation relies on the pseudo-range measurements per- 
formed by V, one pseudo-range per visible satellite, that is, 
estimating the satellite-receiver distance based on the esti- 
mated signal propagation delay, pi. For each pseudo-range 
Pi estimated at V, the following equation is formed: 

Pi = \ Si - loc{V)\ + C ■ ty (1) 

The satellite Si position is s,, the receiver position is 
loc(V), c is the speed of light, and ty is the synchronization 
error for V. 



2.2 Future Cryptographic GNSS Protec- 
tion 

Cryptographic protection ensures the authenticity and in- 
tegrity of GNSS messages, i.e., ensures that NAV messages 
generated solely by GNSS entities, with no modification, 
are accepted and used by nodes. Currently, cryptography is 
used in military systems, but it is not available for commer- 
cial systems to provide authenticity and integrity. Public 
or asymmetric key cryptography is a flexible and scalable 
approach that does not require tamper-resistant receivers@ 
Independently of the number of receivers present in the sys- 
tem (possibly, millions or eventually hundreds of millions) , 
a pair of private/public keys fcj, Ki can be assigned to each 
satellite Si, with the public key bound to the satellite iden- 
tity via a certificate provided by a Certification Authority. 
Each receiver obtains the certified public keys of all satel- 
lites in order to be able to validate NAV messages digitally 
signed with the corresponding fcj. Navigation Message Au- 
thentication (NMA) [5] will be available as a GALILEO 
service. 

To further enhance protection, a different public-key 
NMA approach was proposed in [7]. Each Si chooses a 
secret spreading code for each NAV message but discloses 
this, along with a hidden timing marker, in a delayed and 
authenticated manner to the receiving nodes. If nodes can 
maintain accurate clocks by means other than the GNSS 
system alone, they can then safely detect messages that are 
forged or replayed between the time of their creation and 
the code disclosure. A similar idea using Secret Spreading 
Codes (SSC) was presented in [11]. 

3 Attacking GNSS 

3.1 Adversary model 

The location (position) GNSS-equipped nodes obtain can 
be manipulated by an external adversary, without any ad- 
versarial control on the GNSS entities (the system ground 
stations, the satellites, the ground-to-satellite communica- 
tion, and the receiver). If any cryptographic protection 
is present, we assume that cryptographic primitives are 
not breakable and that the private keys of satellites can- 
not be compromised. The adversary can receive signals 
from all available satellites (depending on the locations of 
the adversary-controlled receivers). It is also fully aware 
of the GNSS implementation specifics and thus can pro- 
duce fully compliant signals, i.e., with the same modula- 
tion, transmission frequency equal to the nominal one, f t , 
or any frequency in the range of received ones, f r ] similarly, 
transmitted and received signal powers, as well as message 
preambles and body format (header, content). 

We classify adversaries based on their ability to re- 
produce GNSS messages and signals, considering ones 
equipped with: 

2 To prevent the compromise of a single, system-wide symmetric 
key, shared among the GNSS and all nodes. 
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1. Single or multiple radios, each transmitting at the 
same constant power, P t c , and frequency fjr. 

2. Single or multiple radios, each being ability to adapt 
its transmission frequency, // , over time; j is an index 
of adversarial radios. 

3. Multiple radios with adaptive transmission capabili- 
ties as above, and additionally the ability to estab- 
lish fast communication among any of the adversarial 
nodes equipped with those radios. 

Adversarial radios in all above cases can record GNSS 
signals and navigation messages for long periods. For all 
adversaries above, we consider a nominal range R, within 
which adversarial transmissions can be received, with this 
value varying for different adversarial radios. We denote 
this as the area under attack. Clearly, the more powerful 
and the more numerous radios an adversary has, the higher 
its potential impact can be. In the sense, it can influence a 
larger system area and potentially mislead more receivers. 

We assume that the area under attack does not coin- 
cide with the wireless system area. In other words, the 
adversary has limited physical presence and communica- 
tion capabilities. This implies that nodes can lock on ac- 
tual GNSS signals for a period of time before entering an 
area under attack. We do not dwell on how frequently and 
under what circumstances nodes are under attack. Rather, 
we investigate the strength of different defense mechanisms 
given that a node is under attack. We abstract the phys- 
ical properties of the adversarial equipment and consider 
the periods of time it can cause unavailability and maintain 
the receiver locked on the spoofed signal. 

We emphasize that our attack model is not the worst 
case; this would be a receiver under attack during its cold 
start, that is, the first time it is turned on and searches for 
GNSS signals to lock on. However, our adversary model 
corresponds to a broad range of realistic cases and it is a 
powerful one. For example, returning to the cargo example 
of the introduction: It will be hard for an adversary to 
control a receiver from its installation, e.g., on a container, 
and then throughout a trip. But it would be rather easy to 
select a location and time to mount its attack. Regarding 
the strength of the attacker, it is noteworthy that attacks 
are possible without any physical access to and without 
tampering with the victim node(s) software and hardware. 

3.2 Mounting Attacks against GNSS Re- 
ceivers 

The adversary can construct a transmitter that emits sig- 
nals identical to those sent by a satellite, and mislead the 
receiver that signals originate from a visible satellite. How- 
ever, the attacker has to first force the receiver to lose 
its "lock" on the satellite signals. This can be achieved 
by jamming legitimate GNSS signals, by transmitting a 
sufficiently powerful signal that interferes with and ob- 
scures the GNSS signals [12]. Jammers are simple to con- 
struct with low cost and very effective: for example, with 
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Figure 1: Illustration of the replay attack: the adversary 
captures and replays the signal after some time t rep iay — 
^replay + t j with the t > chosen by the adversary, and 
^■replay > imposed by the specifics of the attack configu- 
ration and the adversary capabilities. 

1 Watt of transmission power, the reception of GNSS sig- 
nals is stopped within a radius of approximately 35 km 
radius [6, 12]. 

Then, the adversary can spoof GNSS signals, i.e., forge 
and transmit signals at the same frequency and with power 
that exceeds that of the legitimate GNSS signal at the re- 
ceiver's antenna. Satellite simulators are capable of broad- 
casting simultaneously signals carrying counterfeit naviga- 
tion data from ten satellites^ The spoofed signal can also 
be generated by manipulating and rebroadcasting actual 
signals (meaconing). As long as the lock of the victim re- 
ceiver V on the spoofed signal persists, loc(V) is under the 
influence or full control of the adversary. 

Apart from jamming, the adversary could take advan- 
tage of gaps in coverage, i.e., areas and periods of time for 
which V cannot lock on to more than three satellite sig- 
nals. Clearly, this can be often possible in urban areas or 
because of the terrain, such as tunnels or obstructions from 
high-rise buildings. We do not consider further this case, 
as such loss of satellite signals is not under the control of 
the attacker. Nonetheless, the tests we propose here are ef- 
fective independently of what causes receivers to loose lock 
on GNSS signals. 

3.3 Replay attack 

The replay attack can be viewed as a part of a more general 
class of relay attacks: the attacker receives at one location 
legitimate GNSS signals, relays those to another location 

3 The adversary can deceive the receiver after down-conversion 
of the satellite signal, with one component in-phase and one in- 
quadrature: 

I(t) = aiCa(t)M(t)cos(fi) (2) 

Q(t) = a q C a (t)M(t)sin(ft) (3) 

C' a is the C/A (Course/Aquisition) code, M(t) is the NAV message, 
and coemcients a{ and a q represent the signal attenuation. The at- 
tacker could pick the amplifying coemcients a; and a q such that the 
received signal power exceeds the nominal power od a GPS signal [13]. 
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where it retransmits them without any modification. This 
way the adversary can avoid detection if cryptography is 
employed, while it can "present" a victim with GNSS sig- 
nals that are not normally visible at the victim's location. 
In this paper, we abstract away the placement of adversar- 
ial nodes, and we characterize the replay attack by two fea- 
tures: (i) the adversarial node capability to receive, record 
and replay GNSS signals, and (ii) the delay t rep i ay between 
reception and re-transmission of a signal. 

The GNSS signal reception and replay can be done 
at the message or symbol level, or it can be done by 
recording the entire frequency band and replaying it with- 
out de-spreading signals. The latter, more involved and 
thus costly, would enable the attacker to mount an at- 
tack against the delayed-disclosure secret spreading code 
approach, as pointed out in [7], not only for long replay- 
ing delays but also for very short ones. Clearly, such an 
instantiation of the replaying attack implies a more sophis- 
ticated adversary than one replaying symbols or messages. 
For example, the adversary would need to infer, possibly by 
possessing a legitimate receiver, the start of NAV messages 
to replay signals accordingly 

The t rep i ay delay between reception and re-transmission 
depends on the attack configuration (e.g., the distance be- 
tween the receiving and re-transmitting adversarial radios, 
the physics of the signal propagation, and, when applica- 
ble, the delay for the adversary to decode the GNSS signal). 
We capture such factors by considering i™7ay > 0, a min- 
imum delay that the adversary cannot avoid. Beyond this, 
the attacker can choose some additional delay t > 0, such 
that it replays the signal after t rep i ay = t™™ lay + r. We 
illustrate a replay attack in Fig. [TJ The recording of the 
NAV message starts after its beginning is detected, due to 
the preamble 10001011, with length of eight chips, and the 
decoding of the NAV message first bit. This corresponds 
to £™p7ay = 20ms: the transmission rate of 50 bit/s implies 
that 20ms are needed for the first bit to be received by an 
adversarial radio. 

The adversary can choose different t re piay values for sig- 
nals from different satellites, even though "blind" replaying 
of all NAV signals with the same delay can be effective. The 
selection of which signals (from which satellites) to relay of- 
fer flexibility. But even the "blind" replaying of all NAV 
signals (the entire band) can be effective: t rep i ay controls 
the "shift" in the PVT solution. Essentially, t rep i ay con- 
trols the "shift" in the PVT solution the adversary induces 
to the victim node(s). 

Fig. [2] shows the impact of a replay attack as a function 
of the spoofing stage of the attack: (i) the location offset 
or error, i.e., the distance between the attack-induced and 
the actual victim receiver position, and (ii) the time offset 
or error, that is, the time difference between the attack- 
induced clock value and the actual time. We consider for 
this example t re iay = 20ms, as the first bit decoding de- 
lay dwarfs the preamble detection and propagation delays. 
This is indeed a very subtle attack we refer to [9] for a range 
of t rep iay values, which shows that the larger the t rep iay, as 




Figure 2: Impact of the replay attack, as a function of 
the spoofing attack duration, (a) Location offset or er- 
ror: Distance between the attack-induced and the actual 
victim receiver position, (b) Time offset or error: Time 
difference between the attack-induced clock value and the 
actual time. 

the adversary tunes its r value, the higher the location and 
time offsets. 

Even for a very low t re piay, while the mobile node re- 
ceiver is still locked on the attacker-transmitted signals, the 
location error increases, with the victim receiver "dragged" 
away from its actual position. Each millisecond of t re i ay 
translates approximately into 300m of location offset for 
each pseudorange (as the speed of light, c, is taken into 
account), with the actual "displacement" of the victim de- 
pending on the geometry (e.g., position of the satellite 
whose signals were replayed). 

As for the time offset, which can be viewed as a side- 
effect of the attack: it is in the order of less than one mil- 
lisecond per second, and it can very well go easily unnoticed 
by the user. With a given t re i a y, every time the victim re- 
ceiver re-synchronizes, typically at the end of a NAV mes- 
sage that lasts 30 sec, t rep i ay will emerge as ty from the 
PVT solution and thus will be accumulated as part of the 
time offset shown in Fig. [2] 

4 Defense mechanisms 

We investigate three defense mechanisms that rely on a 
common underlying three-step idea. First, the receiver col- 
lects data for a given parameter during periods of time it 
deems it is not under attack; we term this the normal mode. 
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Second, based on the normal mode data, the receiver pre- 
dicts the value of the parameter in the future. When it 
suspects it is under attack, it enters what we term alert 
mode. In this mode, the receiver compares the predicted 
values with the ones it obtains from the GNSS functional- 
ity. If the GNSS-obtained values differ, beyond a protocol- 
selectable threshold, from the predicted ones, the receiver 
deems it is under attack. In that case, all PVT solutions 
obtained in alert mode are discarded. Otherwise, the sus- 
pected PVT solutions are accepted and the receiver reverts 
to the normal mode. 

In this work, we consider three parameters: location, 
time, and Doppler Shift, and we present the corresponding 
detection mechanisms, Location Inertial Test, Clock Offset 
Test, and Doppler Shift Test. We emphasize again that all 
three mechanisms rely on the availability of prior informa- 
tion collected in normal mode. But they are irrelevant if 
the receiver starts its operation without any such informa- 
tion (i.e., a cold start). 

To evaluate the proposed schemes, we use GPS traces 
collected by an ASHTECH Z-XII3T receiver that out- 
puts observation and navigation (.obs and .nav) data into 
RINEX [Receiver Independent Exchange Format) [8]. We 
implement the PVT solution functionality in Matlab, ac- 
cording to the receiver interface specification [8]. Our im- 
plementation operates on the RINEX data, which include 
pseudoranges and Doppler frequency shift and phase mea- 
surements. We simulate the movement of receivers over a 
period of T = 300s, with their position updated at steps of 
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Figure 3: Location error of Crista IMU-15 inertial sensor, 
as a function of the GNSS unavailability period. 
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Figure 4: Illustration of location error using inertial sen- 
sors: Actual vs. estimated when under attack trajectory. 



4.1 Location Inertial Test 

At the transition to alert mode, the node utilizes own lo- 
cation information obtained from the PVT solution, to 
predict positions while in attack mode. If those positions 
match the suspected as fraudulent PVT ones, the receiver 
returns to normal mode. We consider two approaches for 
the location prediction: (i) inertial sensors and (ii) Kalman 
filtering. 

Inertial sensors, i.e., altimeters, speedometers, odome- 
ters, can calculate the node (receiver) location indepen- 
dently of the GNSS functionality^ However, the accuracy 
of such (electro-mechanical) sensors degrades with time. 
One example is the low-cost inertial MEMS Crista IMU-15 
sensor (Inertial Measurement Unit). 

Fig. [3] shows the position error as a function of time [4] , 
which is in our context corresponds to the period the re- 
ceiver is in the alert mode. As the inertial sensor inaccuracy 
increases, the node has to accept as normal attack-induced 
locations. Fig. [4] shows a two-dimensional projection of 
two trajectories, the actual one and the estimated and er- 
roneously accepted one. We see that over a short period 

4 They have already been used to provide continuous navigation 
between the update periods for GNSS receivers, which essentially are 
discrete-time position/time sensors with sampling interval of approx- 
imately one second 



of time, a significant difference is created because of the 
attack. 

A more effective approach is to rely on Kalman filtering 
of location information obtained during normal mode. Pre- 
dicted locations can be obtained by the following system 
model: 

S k+1 = $ fe 5 fe + W k (4) 

with Sf. being the system state, i.e., location (Xk,Yk, Z^) 
and velocity (Vxk,Vyk,Vzk) vectors, the transition 
matrix, and Wk the noise. Fig. [5] illustrates the location 
offset for a set of various trajectories. Unlike the case that 
only inertial sensors are used, with measurements of iner- 
tial sensors (with the error characteristics of Fig. [3] used 
as data when GNSS signals are unavailable, filtering pro- 
vides a linearly increasing error with the period of GNSS 
unavailability. 

Overall, for short unavailability periods, inertial mech- 
anisms can be effective. As long as the error (Y axes of 
Figs. |H [5]) does not grow significantly, the replay attack 
can be detected. But for sufficiently high errors, the re- 
play attack impact can remain undetected. We remind the 
reader that the x-axes in Fig. [2] provide the duration of the 
spoofing attack - the transmission (replay) of GNSS signals 
- and they are not to be confused with the duration of the 
GNSS period of unavailability in the x-axis of Figs. 0] 
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Figure 5: Distance error of inertial mechanisms with 
Kalman filtering, as a function of the GNSS unavailabil- 
ity period. 
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Figure 6: Clock offset for the ASHTECH Z-XII3T receiver, 
during a 900 sec period with no re-synchronization. 

4.2 Clock Offset Test 

Each receiver has a clock that is in general imprecise, due 
to the drift errors of the quartz crystal. If the reception 
of GNSS signals is disrupted, the oscillator switches from 
normal to holdover mode. Then, the time accuracy de- 
pends only on the stability of the local oscillator [2,6]. The 
quartz crystals of different clocks run at slightly different 
frequencies, causing the clock values to gradually diverge 
from each other (skew error). 

A simulation based study [2] of quartz clocks claims that 
coarse time synchronization can be maintained at microsec- 
ond accuracy without GPS reception for 350 sec in 95% 
cases. This means that quartz oscillators can maintain 
millisecond synchronization for few hours, including ran- 
dom errors and temperature change inaccuracies. Indeed, 
in such a case, the adversary would need to cause GNSS 
availability for long periods of time, for example, tens of 
hours, before being able to mount a relay attack that causes 
a time offset in the order of tens of milliseconds. 

However, without highly stable clocks, mounting attacks 
against the Clock Offset Test can be significantly easier. 
This can be the case for a ASHTECH receiver, for which 
time offset values are shown at successive points in time, 
each 30 seconds apart, in Fig. [5] We clarify this is not 



to be perceived as criticism for a given receiver or to be 
the basis for the suitability of the Clock Offset Test. As 
explained above, the stability of the receiver clock deter- 
mines the strength of this test. But the data in Fig. [6j 
over a period of 900 seconds, exactly demonstrates that 
for commodity receivers significant instability is observed; 
time offset values are in the order of ten milliseconds (or 
slightly less). Consequently, the adversary would need to 
jam for roughly a couple of minutes, force the receiver to 
consider as acceptable a time offset of 20 to 32 millisec- 
onds, and thus be mislead by a replay attack as detailed in 
Sec. H 

Finally, we note that we do not consider here the case 
of synchronization by means external to the GNSS system. 
For example, if the receiver could connect to the Internet 
and run NTP, it could obtain accurate time. But this would 
be an infrequent operation (in the order of magnitude of 
days), thus useful only if highly stable clock hardware were 
available. 

4.3 Doppler Shift Test (DST) 

Based on the received GNSS signal Doppler shift, with 
respect to the nominal transmitter frequency {ft = 
1.575GHz), the receiver can predict future Doppler Shift 
values. Once lock to GNSS signals is obtained again, pre- 
dicted Doppler shift values are compared to the ones cal- 
culated due to the received GNSS signal. If the latter are 
different than the predicted ones beyond a threshold, the 
GNSS signal is deemed adversarial and rejected. What 
makes this approach attractive is the smooth changes of 
Doppler shift and the ability to predict it with low, es- 
sentially constant errors over long periods of time. This 
in dire in contrast to the inertial test based on location, 
whose error grows exponentially with time. 

The Doppler shift is produced due to the relative motion 
of the satellite with respect to the receiver. The satellite 
velocity is computed using ephemeris information and an 
orbital model available at the receiver. The received fre- 
quency, f r , increases as the satellite approaches and de- 
creases as it recedes from the receiver; it can be approxi- 
mated by the classical Doppler equation: 

fr = ft ■ (1 - — ) (5) 

c 

where f t is nominal (transmitted) frequency, f r received 
frequency, v r is the satellite-to-user relative velocity vector 
and c speed of radio signal propagation. The product v r ■ 
a represents the radial component of the relative velocity 
vector along the line-of-sight to the satellite. 

If the frequency shift differs from the predicted shift for 
each visible satellite Si in the area depending on the data 
obtained from the almanac (in the case when the naviga- 
tion history is available), for more than defined thresholds 
(Afmin, Af max ) or estimated Doppler shift from naviga- 
tion history differs for more than the estimated shift, know- 
ing the rate (r), the receiver can deem the received signal 
as product of attack. 
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Figure 7: Measured and approximated Doppler frequency 
shift. 

The Almanac contains approximate position of the satel- 
lites, (Xsi,Ysi, Zsi), time and the week number (WN,t), 
and the corrections, such that the receiver is aware of the 
expected satellites, their position, and the Doppler offset. 

Because of the high carrier frequencies and large satel- 
lite velocities, large Doppler shifts are produced (±5kHz), 
and vary rapidly (1 Hz/s). The oscillator of the receiver 
has frequency shift of ±3KHz, thus the resultant frequency 
shift goes therefore up to ±9KHz. Without the knowledge 
of the shift, the receiver has to perform a search in this 
range of frequencies in order to acquire the signal. The 
rate of Doppler shift receiving frequency caused by the rel- 
ative movement between GPS satellite and vehicles approx- 
imately 40 Hz per minute to the maximum. These varia- 
tions are linear for every satellite. If the receiver is mobile, 
the Doppler shift variation can be estimated knowing the 
velocity of the receiver ( [3]). 

In our simulations, Doppler shift is analyzed for each 
available satellite (number of available satellites varies). To 
be consistent with results shown for other mechanisms, we 
present results for DST for the 300sec period. 

We observe in Fig. [7] the Doppler shift variation based 
on data collected by an ASHTECH receiver: the maximum 
change in rate is within +/ — 20Hz around a linear curve 
fitted to the data. This clues that with sufficient samples, 
the future Doppler Shift rate, and thus the shift per se, 
values can be predicted. In practice, we observe that 50 
sec of samples, with one sample per second, appear to be 
sufficient. 

More precisely, the rate of change of the frequency shift, 
Di(t), is computed for each satellite, Si, as: 

dDi{t) 

n = ~nr (6) 

which can be approximated by numerical methods. Based 
on prior samples for each Di, available for some time win- 
dow the frequency shift can be predicted based those sam- 
ples and the estimate rate of change of the Doppler shift. 
Based on prior measured statistics of the signal at the re- 
ceiver, the variance a 2 of a random component, assumed 
to be N(0, a 2 ), can be estimated. This random component 




V T,me [si 5 



Figure 8: Doppler shift attack; unsophisticated adversary. 
The dotted line represents the predicted and the solid line 
the measured frequency offset. 

is due to signal variation (including receiver mobility, RF 
multipath, scattering). Its estimation can serve to deter- 
mine an acceptable interval around the predicted values. 

The adversary is mostly at the ground and static or mov- 
ing with speed that is much smaller than the satellite ve- 
locity, which is in a range around 3km/s. Thus, the adver- 
sary will not be able to produce the same Doppler shift as 
the satellites, unless it changes its transmission frequency 
to match the one receivers would obtain from GNSS sig- 
nals due to the Doppler shift. An unsophisticated attacker 
would then be easily detected. This is illustrated in Fig. [8) 
After a "gap" corresponding to jamming, there is a striking 
difference, between 100 and 150 seconds, when comparing 
the Doppler shift due to the attack to the predicted one. 

The case of A sophisticated adversary that controls its 
transmission frequency (the attack starts at 160s)is shown 
in the Fig. [51 The adversary has multiple adaptive ra- 
dios and it operates according to the following principle: it 
predicts the Doppler frequency shift at the location of the 
receiver, and it then changes its transmission frequency 
accordingly. If the attacker is not precisely aware of the 
actual location and motion dynamics of the victim node 
(receiver), there is still a significant difference between the 
predicted and the adversary-caused Doppler shift. This 
is shown, with a magnitude of approximately 300 Hz, in 
Fig. [£l a difference that allows detection of the attack. 

5 Conclusion 

Existing GNSS receivers are vulnerable to a number of 
attacks that manipulate the location and time the re- 
ceivers compute. We qualitatively and quantitatively ana- 
lyze those in this paper, and identify memory-based mech- 
anisms that can help in securing GNNS signals. In particu- 
lar, we realize that location-based inertial mechanisms and 
a clock offset test can be relatively easily defeated, with the 
adversary causing (through jamming) a sufficiently long 
period of unavailability. In the latter case, only special- 
ized highly stable clock hardware could enable detection of 
fraudulent GNSS signals. Our Doppler Shift Test provides 
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Figure 9: Doppler shift attack; sophisticated adversary. 
The dotted line represents the predicted and the solid line 
the measured frequency offset. 

resilience to long unavailability periods without specialized 
equipment. 

Our results are the first, to the best of our knowledge, 
to provide tangible demonstration of effective mechanisms 
to secure mobile systems from location information manip- 
ulation via attacks against the GNSS systems. 

As part of on-going and future work, we intent to further 
refine and generalize the simulation framework we utilized 
here, to consider precisely the effect of counter-measures 
that only partially limit the attack impact. Moreover, we 
will consider more closely the cost of mounting attacks of 
differing sophistication levels, especially through proof-of- 
concept implementations. 
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